ATM Skimming Attacks Hit NY Hospitals

Local police are investigating ATM skimming attacks at four New York hospitals. Security experts warn that fraudsters will likely continue to target locations, including hospitals, where ATMs are not closely monitored and around-the-clock access to the terminals is available.

"These skimming attacks are actually a major problem at ATMs in many locations," says financial fraud expert Shirley Inscoe, analyst for the consultancy Aite. "Skimming is currently the No. 1 threat at ATMs in the U.S. The problem is even growing at many financial institution locations, because they have outsourced ATM servicing, and staff no longer perform daily inspections as they did when the machines were serviced internally."

But when ATMs are placed in remote locations, the risk of skimming is even greater, Inscoe adds. Fraudsters often disguise themselves as service technicians or armored car personnel, fooling passersby into thinking they have a reason to be tampering with the ATM, she says.

"ATMs that are out of the way and not monitored are obviously at risk," Inscoe says. "But frankly, any machine can be compromised, since thieves work 24x7 and people don't really question anyone working on a machine. If they are wearing some type of official-looking uniform, people assume what they are doing is legitimate."

The New York Police Department has not yet revealed how it believes fraudsters successfully compromised ATMs in this most recent attack. For now, the department is focused on finding two individuals it believes are behind the attacks, according to a media alert sent to Information Security Media Group.

"It was reported to police that skimming devices were installed in hospital ATM machines between Wednesday, Aug. 24, 2016, and Tuesday, Nov. 1, 2016," the alert states. "The individuals used victim's personal information to make duplicate cards to make several unauthorized cash withdrawals."

So far, skimming devices have been found at ATMs located in Memorial Sloan-Kettering and New York Presbyterian Hospital in Manhattan, New York Methodist Hospital in Brooklyn, and Jamaica Hospital Medical Center in Queens, according to police. The theft of more than $40,000 has been linked to the attacks, reports CBS New York.

Hospitals Are Easy Targets

Financial fraud expert Avivah Litan, an analyst at the consultancy Gartner, says ATM fraudsters gravitate to the points of least resistance - which often includes hospitals.

"Hospital staff can barely keep up with the ER waiting rooms, let alone worry about ATM security," she says. "Hospitals make perfect targets for ATM skimmers, and I'm sure we will see more of these ATM skimming attacks at hospitals and other understaffed, undersecured healthcare facilities in the coming year or two."

The best solution, Litan says: Install tamper-resistant ATMs. "I expect that will also start happening in the next year or two," she says.

Al Pascual, head of fraud and security at Javelin Strategy & Research, says it's unlikely that only four hospitals were targeted in this scheme. "Hospitals and ATM operators throughout the New York metro area should be inspecting ATMs installed at hospitals, as this is likely to be a far more pervasive crime than has been reported," he says.

ATM Skimming: Growing Worry

Banking executives see ATM skimming as a growing problem, with 68 percent of executives recently surveyed by Aite ranking ATM skimming as a "severe" or "very severe" threat, Inscoe says.

"When skimming crews use fraudulent cards sporadically over a long period, it makes detection harder," Buzzard says. "This may explain the two-month distance from exposure to fraud. Keep in mind that circa 1999 it took an average of three months from skim to fraud, so we are sort of tone deaf to just how rapid these skimming cases blossom in today's world. Two months seems long, but I'm sure they were staggering their unauthorized withdrawals to evade detection."

Pascual says that's why ATMs managed and operated by third parties, outside the bank or credit union, are a top area of fraud concern. These ATMs are less likely to be inspected on a regular basis for skimming devices and/or other tampering relative to their bank-branch counterparts, he says.

"I wouldn't say that the security of hospital ATMs, in particular, is a significant concern for our issuer and bank clients but, rather, third-party ATMs in general," Pascual explains. "These ATMs are much more likely to suffer from physical and logical security issues, when compared to bank ATMs."

The continued use of magnetic-stripe debit cards, which can be easily skimmed, is a cause for concern, says William Murray, an independent financial fraud consultant. "While ATMs are being upgraded to EMV [chip] and a few banks are implementing "cardless/mobile, they continue to accept [information] on mag-stripes," he says. "There is no (U.S.) end-of-life plan for mag-stripe," because all EMV chip cards still retain magnetic-stripes, Murray adds.

"There is not even a plan for EMV-only cards," he says. "This vulnerability is likely to be around for a long time."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.